DOS attack

francoisbel at my-deja.com francoisbel at my-deja.com
Mon Jan 31 20:10:01 UTC 2000 

(bind 8.2.1, solaris 2.5)

We had an attack on our bind server over the
week-end but are having a hard time tracking the
intruder and what exactly the hacker did. This is
the second time this happens and we are forced to
reboot the server for lack of being able to
quickly track down the cause of the problem.

Starting at 15:51, we had entries like these from
syslog:

Jan 29 15:51:46 ourhostname named[4519]: ns_req:
sendto([24.2.8.67].33138): Resource temporarily
unavailable
Jan 29 15:51:46 ourhostname named[4519]: ns_req:
sendto([255.255.255.255].1558): Resource
temporarily unavailable
Jan 29 15:51:47 ourhostname named[4519]: ns_req:
sendto([204.71.45.2].53): Resource temporarily
unavailable
Jan 29 15:51:47 ourhostname named[4519]: ns_req:
sendto([209.244.5.44].53): Resource temporarily
unavailable
Jan 29 15:51:50 ourhostname named[4519]: ns_req:
sendto([207.217.126.81].53): Resource temporarily
unavailable
Jan 29 15:51:50 ourhostname named[4519]: ns_req:
sendto([208.133.80.8].51239): Resource temporarily
unavailable

within 40 minutes (until we reboot), we got 201 of
those entries while there's none before that time.

XSTATS logs show a big difference in SErr between
15:24  and 16: 24, from 0  to 2052:

Jan 29 15:24:55 ourhostname named[4519]: XSTATS
949177495 948990314 RR=310240 RNXD=6895
RFwdR=59519 RDupR=1547 RFail=2637 RFErr=0 RErr=274
RAXFR=7 RLame=41533 ROpts=0 SSysQ=204025
SAns=416996 SFwdQ=55146 SDupQ=54431 SErr=0
RQ=472057 RIQ=5 RFwdQ=0 RDupQ=668 RTCP=41
SFwdR=59519 SFail=0 SFErr=0 SNaAns=366881
SNXD=46292

Jan 29 16:24:55 ourhostname named[4519]: XSTATS
949181095 948990314 RR=313054 RNXD=6934
RFwdR=60154 RDupR=1579 RFail=2639 RFErr=0 RErr=274
RAXFR=7 RLame=41863 ROpts=0 SSysQ=205829
SAns=422468 SFwdQ=55768 SDupQ=55639 SErr=2052
RQ=478155 RIQ=5 RFwdQ=0 RDupQ=678 RTCP=41
SFwdR=60154 SFail=0 SFErr=0 SNaAns=370490
SNXD=46502

Any idea what could have caused this and how to
prevent from it happening a 3rd time? Also, we are
about to patch to level 8.2.2-P5 but I'm wondering
if this will fix


Sent via Deja.com http://www.deja.com/
Before you buy.

More information about the bind-users mailing list